Bug 312951 - utrace: crash - utrace_get_signal
utrace: crash - utrace_get_signal
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
8
All Linux
medium Severity high
: ---
: ---
Assigned To: Roland McGrath
Fedora Extras Quality Assurance
bzcl34nup
:
Depends On:
Blocks: 312961 313081 313111 313131 351031
  Show dependency treegraph
 
Reported: 2007-09-30 07:06 EDT by Jan Kratochvil
Modified: 2008-06-08 13:56 EDT (History)
3 users (show)

See Also:
Fixed In Version: kernel-2.6.25.4-10.fc8
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-06-08 13:56:29 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Testcase, a modified one from adobriyan-at-sw.ru. (2.25 KB, text/plain)
2007-09-30 07:06 EDT, Jan Kratochvil
no flags Details

  None (edit)
Description Jan Kratochvil 2007-09-30 07:06:58 EDT
+++ This bug was initially created as a clone of Bug #207002 +++

Problem separated as according to Roland McGrath it is a different one than in
the reopened Bug #207002 Comment 0.

Description of problem:
-- Additional comment from adobriyan@sw.ru on 2007-05-29 03:55 EST --
We saw the following oops on rhel5 utrace code

BUG: unable to handle kernel paging request at virtual address 7ca1c291
EIP is at utrace_get_signal+0x46/0x477
          get_signal_to_deliver+0xdf/0x3b1
          do_notify_resume+0xa9/0x6a5
          audit_syscall_exit+0x285/0x2a1
          work_notifysig+0x13/0x19
          copy_to_user_policy+0x73/0x7f

The failing IP corresponds to code in utrace_get_signal():

int
utrace_get_signal(struct task_struct *tsk, struct pt_regs *regs,
                  siginfo_t *info, struct k_sigaction *return_ka)
{
        struct utrace *utrace = tsk->utrace;
                ...
        if (utrace->u.live.signal != NULL) {
                signal.signr = utrace->u.live.signal->signr;
                copy_siginfo(info, utrace->u.live.signal->info);
                                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^

Bogus pointer was supplied here.

How ->utrace assignment should be handled correctly?
---------------------------------------------------------------------

On (2 CPUs; qemu-kvm) kernel-2.6.23-0.211.rc8.git2.fc8.x86_64 seen:

------------[ cut here ]------------
kernel BUG at kernel/utrace.c:328!
invalid opcode: 0000 [1] SMP
CPU 0
Modules linked in: snd_hda_intel snd_usb_audio snd_seq_dummy snd_seq_oss
snd_seq_midi_event snd_seq snd_pcm_oss snd_mixer_oss snd_pcm snd_timer
snd_page_alloc snd_usb_lib snd_rawmidi snd_seq_device snd_hwdep snd soundcore
nfs nfsd exportfs lockd nfs_acl auth_rpcgss sunrpc ipv6 dm_mirror dm_mod video
output sbs button battery ac floppy 8139too parport_pc 8139cp parport mii sr_mod
cdrom sg ata_piix ahci libata sd_mod scsi_mod ext3 jbd mbcache uhci_hcd ohci_hcd
ehci_hcd
Pid: 22164, comm: clone-get-signa Not tainted 2.6.23-0.211.rc8.git2.fc8 #1
RIP: 0010:[<ffffffff8107570f>]  [<ffffffff8107570f>] check_dead_utrace+0xfb/0x166
RSP: 0018:ffff810006517e58  EFLAGS: 00010246
RAX: 0000000000000000 RBX: 000000000007e569 RCX: 0000000000000000
RDX: 0000000000000008 RSI: ffff81000556f240 RDI: ffff81000570a000
RBP: ffff81000570a000 R08: 00000000000001e1 R09: 0000000000000000
R10: ffffffff8107503b R11: 0000000000000212 R12: 0000000000000000
R13: ffff81000556f240 R14: 0000000000000000 R15: 0000000000000000
FS:  00002aaaaaac26f0(0000) GS:ffffffff813d7000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 000000304b550904 CR3: 0000000009bba000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process clone-get-signa (pid: 22164, threadinfo ffff810006516000, task
ffff81000654a000)
Stack:  000000000007e569 ffff81000570a000 0000000000000000 000000000007e569
 ffff81000570a000 ffffffff81075eef 0000000000000018 000000000007e569
 ffff81000556f240 ffff81000570a000 ffff8100050b9480 ffffffff81076069
Call Trace:
 [<ffffffff81075eef>] wake_quiescent+0x57/0x12e
 [<ffffffff81076069>] utrace_detach+0xa3/0xba
 [<ffffffff81077d2a>] ptrace_detach+0x6e/0x10b
 [<ffffffff810782fc>] ptrace_common+0x98/0x184
 [<ffffffff81078d68>] sys_ptrace+0xf0/0x1ed
 [<ffffffff8100bd2a>] tracesys+0x71/0xda
 [<ffffffff8100bd8e>] tracesys+0xd5/0xda


Code: 0f 0b eb fe 4c 89 ef e8 58 fd ff ff 49 83 fe 10 75 3a 8b b5
RIP  [<ffffffff8107570f>] check_dead_utrace+0xfb/0x166
 RSP <ffff810006517e58>
BUG: spinlock lockup on CPU#0, clone-get-signa/22164, ffff81000556f260 [Tainted:
G      D]

Call Trace:
 [<ffffffff8112e6d0>] _raw_spin_lock+0xd7/0xfe
 [<ffffffff81269850>] _spin_lock+0x47/0x52
 [<ffffffff8107503b>] get_utrace_lock_attached+0x34/0x61
 [<ffffffff81075fdb>] utrace_detach+0x15/0xba
 [<ffffffff81078be9>] ptrace_exit+0x69/0xf8
 [<ffffffff8103b051>] do_exit+0x151/0x8d2
 [<ffffffff8100d42d>] kernel_math_error+0x0/0x71
 [<ffffffff8100d87a>] do_invalid_op+0x8a/0x94
 [<ffffffff8107570f>] check_dead_utrace+0xfb/0x166
 [<ffffffff81032747>] sched_balance_self+0x153/0x2a5
 [<ffffffff810542cb>] mark_held_locks+0x49/0x67
 [<ffffffff812692eb>] trace_hardirqs_on_thunk+0x35/0x37
 [<ffffffff8126a1ad>] error_exit+0x0/0x96
 [<ffffffff8107503b>] get_utrace_lock_attached+0x34/0x61
 [<ffffffff8107570f>] check_dead_utrace+0xfb/0x166
 [<ffffffff81075eef>] wake_quiescent+0x57/0x12e
 [<ffffffff81076069>] utrace_detach+0xa3/0xba
 [<ffffffff81077d2a>] ptrace_detach+0x6e/0x10b
 [<ffffffff810782fc>] ptrace_common+0x98/0x184
 [<ffffffff81078d68>] sys_ptrace+0xf0/0x1ed
 [<ffffffff8100bd2a>] tracesys+0x71/0xda
 [<ffffffff8100bd8e>] tracesys+0xd5/0xda

BUG: spinlock lockup on CPU#1, clone-get-signa/22165, ffff81000556f260 [Tainted:
G      D]

Call Trace:
 [<ffffffff8112e6d0>] _raw_spin_lock+0xd7/0xfe
 [<ffffffff81269850>] _spin_lock+0x47/0x52
 [<ffffffff81075c2a>] utrace_quiescent+0x148/0x21b
 [<ffffffff81076b07>] utrace_get_signal+0x4b1/0x514
 [<ffffffff810428ee>] get_signal_to_deliver+0x5a/0x3fb
 [<ffffffff810429ba>] get_signal_to_deliver+0x126/0x3fb
 [<ffffffff8100b0e9>] do_notify_resume+0xa8/0x733
 [<ffffffff81269c50>] _spin_unlock_irqrestore+0x3e/0x44
 [<ffffffff8102e08e>] update_curr+0xf8/0x11a
 [<ffffffff81052542>] lock_release_holdtime+0x27/0x48
 [<ffffffff810544bd>] trace_hardirqs_on+0x12e/0x151
 [<ffffffff81269be8>] _spin_unlock_irq+0x24/0x27
 [<ffffffff8100be3c>] int_signal+0x12/0x17

---------------------------------------------------------------------


Version-Release number of selected component (if applicable):
kernel-2.6.23-0.211.rc8.git2.fc8.x86_64

How reproducible:
After 1662 runs of the testcase; testcase has 2000 internal loops =>
=> approx. 3324000th cycle.

Steps to Reproduce:
1. gcc -o ./clone-get-signal ./clone-get-signal.c -Wall -ggdb2
2. while ./clone-get-signal ;do echo -n .;done

Actual results:
Kernel crash.

Expected results:
No kernel crash, just infinite dotting.
Comment 1 Jan Kratochvil 2007-09-30 07:06:58 EDT
Created attachment 211681 [details]
Testcase, a modified one from adobriyan-at-sw.ru.
Comment 2 Jan Kratochvil 2007-09-30 07:36:45 EDT
Confirmed as still broken on:
kernel-2.6.23-0.214.rc8.git2.fc8.x86_64
(x86_64 qemu-kvm -smp 2)
After 81 testcase runs (81*2000 cycles).

------------[ cut here ]------------
kernel BUG at kernel/utrace.c:328!
invalid opcode: 0000 [1] SMP 
CPU 1 
Modules linked in: snd_hda_intel snd_usb_audio snd_seq_dummy snd_seq_oss
snd_seq_midi_event snd_seq snd_pcm_oss snd_mixer_oss snd_pcm snd_timer
snd_page_alloc snd_usb_lib snd_rawmidi snd_seq_device snd_hwdep snd soundcore
nfs nfsd exportfs lockd nfs_acl auth_rpcgss sunrpc ipv6 dm_mirror dm_mod video
output sbs button battery ac floppy parport_pc parport 8139too 8139cp mii sr_mod
cdrom sg ata_piix ahci libata sd_mod scsi_mod ext3 jbd mbcache uhci_hcd ohci_hcd
ehci_hcd
Pid: 14810, comm: clone-get-signa Not tainted 2.6.23-0.214.rc8.git2.fc8 #1
RIP: 0010:[<ffffffff8107570f>]  [<ffffffff8107570f>] check_dead_utrace+0xfb/0x166
RSP: 0018:ffff8100082e9e58  EFLAGS: 00010246
RAX: 0000000000000000 RBX: 000000000007e569 RCX: 0000000000000000
RDX: 0000000000000008 RSI: ffff81000849c900 RDI: ffff810008aba000
RBP: ffff810008aba000 R08: 00000000000001e0 R09: 0000000000000000
R10: ffffffff8107503b R11: 0000000000000212 R12: 0000000000000000
R13: ffff81000849c900 R14: 0000000000000000 R15: 0000000000000000
FS:  00002aaaaaac26f0(0000) GS:ffff81000fcc04b0(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 000000304b550904 CR3: 0000000008b7f000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process clone-get-signa (pid: 14810, threadinfo ffff8100082e8000, task
ffff810008734000)
Stack:  000000000007e569 ffff810008aba000 0000000000000000 000000000007e569
 ffff810008aba000 ffffffff81075eef 0000000000000018 000000000007e569
 ffff81000849c900 ffff810008aba000 ffff810008bf6a80 ffffffff81076069
Call Trace:
 [<ffffffff81075eef>] wake_quiescent+0x57/0x12e
 [<ffffffff81076069>] utrace_detach+0xa3/0xba
 [<ffffffff81077d2a>] ptrace_detach+0x6e/0x10b
 [<ffffffff810782fc>] ptrace_common+0x98/0x184
 [<ffffffff81078d68>] sys_ptrace+0xf0/0x1ed
 [<ffffffff8100bd2a>] tracesys+0x71/0xda
 [<ffffffff8100bd8e>] tracesys+0xd5/0xda


Code: 0f 0b eb fe 4c 89 ef e8 58 fd ff ff 49 83 fe 10 75 3a 8b b5 
RIP  [<ffffffff8107570f>] check_dead_utrace+0xfb/0x166
 RSP <ffff8100082e9e58>
BUG: spinlock lockup on CPU#0, clone-get-signa/14811, ffff81000849c920 [Tainted:
G      D]

Call Trace:
 [<ffffffff8112e6d0>] _raw_spin_lock+0xd7/0xfe
 [<ffffffff81269850>] _spin_lock+0x47/0x52
 [<ffffffff81075c2a>] utrace_quiescent+0x148/0x21b
 [<ffffffff81076b07>] utrace_get_signal+0x4b1/0x514
 [<ffffffff810428ee>] get_signal_to_deliver+0x5a/0x3fb
 [<ffffffff810429ba>] get_signal_to_deliver+0x126/0x3fb
 [<ffffffff8100b0e9>] do_notify_resume+0xa8/0x733
 [<ffffffff81052542>] lock_release_holdtime+0x27/0x48
 [<ffffffff8100bc9b>] sysret_signal+0x21/0x31
 [<ffffffff8100bf47>] ptregscall_common+0x67/0xb0

BUG: spinlock lockup on CPU#1, clone-get-signa/14810, ffff81000849c920 [Tainted:
G      D]

Call Trace:
 [<ffffffff8112e6d0>] _raw_spin_lock+0xd7/0xfe
 [<ffffffff81269850>] _spin_lock+0x47/0x52
 [<ffffffff8107503b>] get_utrace_lock_attached+0x34/0x61
 [<ffffffff81075fdb>] utrace_detach+0x15/0xba
 [<ffffffff81078be9>] ptrace_exit+0x69/0xf8
 [<ffffffff8103b051>] do_exit+0x151/0x8d2
 [<ffffffff8100d42d>] kernel_math_error+0x0/0x71
 [<ffffffff8100d87a>] do_invalid_op+0x8a/0x94
 [<ffffffff8107570f>] check_dead_utrace+0xfb/0x166
 [<ffffffff81032747>] sched_balance_self+0x153/0x2a5
 [<ffffffff810542cb>] mark_held_locks+0x49/0x67
 [<ffffffff812692eb>] trace_hardirqs_on_thunk+0x35/0x37
 [<ffffffff8126a1ad>] error_exit+0x0/0x96
 [<ffffffff8107503b>] get_utrace_lock_attached+0x34/0x61
 [<ffffffff8107570f>] check_dead_utrace+0xfb/0x166
 [<ffffffff81075eef>] wake_quiescent+0x57/0x12e
 [<ffffffff81076069>] utrace_detach+0xa3/0xba
 [<ffffffff81077d2a>] ptrace_detach+0x6e/0x10b
 [<ffffffff810782fc>] ptrace_common+0x98/0x184
 [<ffffffff81078d68>] sys_ptrace+0xf0/0x1ed
 [<ffffffff8100bd2a>] tracesys+0x71/0xda
 [<ffffffff8100bd8e>] tracesys+0xd5/0xda
Comment 3 Jan Kratochvil 2007-10-04 15:12:35 EDT
Confirmed as still broken on:
kernel-2.6.23-0.217.rc9.git1.fc8.x86_64
(x86_64 4 CPU)

clone-get-signa used greatest stack depth: 3512 bytes left
clone-get-signa used greatest stack depth: 3240 bytes left
clone-get-signa used greatest stack depth: 3016 bytes left
clone-get-signa used greatest stack depth: 2984 bytes left
clone-get-signa used greatest stack depth: 2936 bytes left
------------[ cut here ]------------
kernel BUG at kernel/utrace.c:328!
invalid opcode: 0000 [1] SMP 
CPU 1 
Modules linked in: autofs4 hidp rfcomm l2cap bluetooth sunrpc ipv6
cpufreq_ondemand acpi_cpufreq dm_multipath video output sbs battery ac lp loop
tg3 snd_hda_intel snd_seq_dummy snd_seq_oss snd_seq_midi_event snd_seq
snd_seq_device snd_pcm_oss snd_mixer_oss snd_pcm snd_timer parport_pc snd
iTCO_wdt iTCO_vendor_support soundcore snd_page_alloc button serio_raw parport
i5000_edac joydev edac_core shpchp floppy sr_mod cdrom sg dm_snapshot dm_zero
dm_mirror dm_mod ata_generic ata_piix libata sd_mod scsi_mod ext3 jbd mbcache
uhci_hcd ohci_hcd ehci_hcd
Pid: 17037, comm: clone-get-signa Not tainted 2.6.23-0.217.rc9.git1.fc8 #1
RIP: 0010:[<ffffffff810757a3>]  [<ffffffff810757a3>] check_dead_utrace+0xfb/0x166
RSP: 0018:ffff81006ddd3e58  EFLAGS: 00010246
RAX: 0000000000000000 RBX: 000000000007e569 RCX: 0000000000000000
RDX: 0000000000000008 RSI: ffff81006c91b000 RDI: ffff81006f024000
RBP: ffff81006f024000 R08: 0000000000000215 R09: 0000000000000000
R10: ffffffff810750cf R11: 0000000000000212 R12: 0000000000000000
R13: ffff81006c91b000 R14: 0000000000000000 R15: 0000000000000000
FS:  00002aaaab0166f0(0000) GS:ffff81007ffc0578(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 00002aaaab0118e4 CR3: 000000006c456000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process clone-get-signa (pid: 17037, threadinfo ffff81006ddd2000, task
ffff81006ddd0000)
Stack:  000000000007e569 ffff81006f024000 0000000000000000 000000000007e569
 ffff81006f024000 ffffffff81075f83 0000000000000292 000000000007e569
 ffff81006c91b000 ffff81006f024000 ffff81006d6c6180 ffffffff810760fd
Call Trace:
 [<ffffffff81075f83>] wake_quiescent+0x57/0x12e
 [<ffffffff810760fd>] utrace_detach+0xa3/0xba
 [<ffffffff81077dbe>] ptrace_detach+0x6e/0x10b
 [<ffffffff81078390>] ptrace_common+0x98/0x184
 [<ffffffff81078dfc>] sys_ptrace+0xf0/0x1ed
 [<ffffffff8100bbfe>] system_call+0x7e/0x83


Code: 0f 0b eb fe 4c 89 ef e8 58 fd ff ff 49 83 fe 10 75 3a 8b b5 
RIP  [<ffffffff810757a3>] check_dead_utrace+0xfb/0x166
 RSP <ffff81006ddd3e58>
Comment 4 Bug Zapper 2008-04-04 09:57:43 EDT
Based on the date this bug was created, it appears to have been reported
during the development of Fedora 8. In order to refocus our efforts as
a project we are changing the version of this bug to '8'.

If this bug still exists in rawhide, please change the version back to
rawhide.
(If you're unable to change the bug's version, add a comment to the bug
and someone will change it for you.)

Thanks for your help and we apologize for the interruption.

The process we're following is outlined here:
http://fedoraproject.org/wiki/BugZappers/F9CleanUp

We will be following the process here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this
doesn't happen again.
Comment 5 Jan Kratochvil 2008-06-08 13:56:29 EDT
Verified as fixed on kernel-2.6.25.4-10.fc8.x86_64.

Note You need to log in before you can comment on or make changes to this bug.